Underground economy flourishes online

By William Jackson

Nov 25, 2008

As the legitimate economy hits the skids, an underground economy with billions of dollars' worth of illegal goods and services being bought, sold and bartered online is flourishing, according to a yearlong study by Symantec Corp.

The total value of goods advertised in the underground markets Symantec studied is estimated at $276 million, with credit-card information making up nearly 60 percent of the total. But the potential value of stolen or fraudulent credit-card information could top $5 billion in terms of goods and services illegally obtained with it. The cash value of financial account information offered for sale totaled about $1.7 billion.

What was surprising about the findings was 'the scope and breadth of the underground economy,' said Marc Fossi, executive editor of the report. 'The whole thing is very much self-sustaining. It follows basic economic principles.'

A would-be criminal can buy a phishing kit online to steal credit-card information, hire a botnet to distribute the spam and gather the information, pay to have information validated, sell the information online, and use credit-card numbers to upgrade the phishing kit. 'It's a one-stop shop,' Fossi said.

Principles of supply and demand appear to regulate the availability of goods and services, he said, with the goods and services being advertised for sale roughly balanced with requests. For example, bank-account credentials accounted for about 14 percent of information requested on the online marketplaces and about 18 percent of advertisements for sale. Credit cards with verification numbers were about 18 percent of advertisements and about 13 percent of requests.

The survey studied underground economic activity being conducted online, largely on Internet Relay Chat (IRC) channels and Web forums, from July 2007 through June 2008. Symantec has included some of that kind of information in previous semiannual Internet Security Threat Reports, but the current report provides a more granular look at goods and services for sale. Because there is no comparable data to compare it with, the study shows a snapshot rather than trends.

'This report is a deep dive into the underground economy,' Fossi said.

During the period studied, credit-card information accounted for 31 percent of all advertisements for sale and was the most sought-after category, accounting for 24 percent of requests. It was followed by financial account information and spam and phishing services. The average balance for financial accounts was $40,000, and prices for bank-account credentials ranged from $10 to $1,000, depending on the balance and the location of the account.

The most popular method of payment for those goods and services was online currency accounts, which were used in 63 percent of cases.

The cost of a botnet ' a network of compromised computers that can be used to launch attacks and harvest information ' averaged about $225. Hosting services for phishing scams were at the low end of the price scale, ranging from $2 to $80, with an average price of $10. At the other end of the price scale were exploits for site-specific vulnerabilities on financial services sites, which ranged from $100 to nearly $3,000 and averaged $740.

A lot of the underground activity is done via IRC, Fossi said.

'We have started to see them migrate away from Web forums to IRC,' he said, possibly because of some high-profile law enforcement stings that targeted Web forums.

One of the largest IRC server networks Symantec saw during the study had about 28,000 channels and 90,000 users. The smallest had five channels and 40 users. Most underground-economy servers had a lifespan of less than six months.

The distribution of underground servers is global and pretty much follows the distribution of servers overall, with 46 percent being located in North America and smaller percentages in Europe, the Middle East, Asia and Latin America. However, that information says little about the location of criminal activity because an individual or gang can use a server anywhere in the world, Fossi said.

There is a lot of talk of organized computer crime, but the degree of organization varies and the gangs often are loose collections of individuals cooperating with one another, Fossi said.

'Various arrests and indictments of underground-economy participants suggest that groups in Russia and Eastern Europe are more organized in their operations, with greater ability to mass-produce physical credit and debit cards,' the report states.

'In contrast, groups operating out of North America tend to be loosely organized, often made up of acquaintances who have met in online forums and/or IRC channels and who have chosen to associate with each other,' the report states. 'Another notable contrast is that there have been a number of recorded incidents involving undercover law enforcement agents or confidential informants within groups based in North America, whereas Symantec has not observed any publicized incidents of the same in Europe.'

In addition, groups often work together. 'In some cases, groups operating out of North America have relied on the more professional Eastern European groups to supply them with high-quality fraudulent cards for use in schemes such as automated teller machine (ATM) skimming.'

'It also is self-policing,' Fossi said of the marketplace. There is an informal reputation-based system similar to e-Bay's, and dealers who do not follow through with their proffered goods or services can be labeled rippers.

But in the end, buyers and sellers are trusting to the honor among thieves.

'There is always the chance that you are going to get ripped off,' Fossi said.